PERSONAL DATA PROTECTION STATEMENT

We are glad that you are interested in our website. We attach great importance to protecting your personal data when they are collected, processed and used on your visit to our website. We respect the regulations contained in the EU General Data Protection Regulation (Regulation (EU) 2016/679)

As a general principle, HERON REAL ESTATE’s website (www.heron-realestate.com) can be used without supplying any personal details (e.g. the name, address, email address or telephone number of the person concerned). However, if you wish to use special services offered through our website, it may be necessary for us to process personal details. We always obtain your consent if it is necessary to process personal data, and the basis for processing them is not already enshrined in law.

This notice informs you of the way in which we collect, process and use personal data, the extent to which we do so, and our purpose in doing so. This data protection notice also informs you of your rights.

We have taken a number of technical and organisational steps to protect any personal details of yours processed through this website as seamlessly as possible. Nevertheless, we point out that due to the transmission of data over the internet and possible security loopholes associated with this technology, it is not possible to guarantee absolute protection. For that reason, you have the option of sending us your personal data by other means (e.g. by phone or post).

1. Terms

In the course of this data protection notice, we use the terms also used in the EU General Data Protection Regulation (GDPR). Those terms are the following:

– Personal data“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

– Data subjectA “data subject” is any identified or identifiable natural person whose personal data are processed by the entity responsible for processing.

– Processing“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

– Restriction of processing“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;

– Profiling“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

– Pseudonymisation“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

– Filing systemA “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

– Controller“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

– Processor“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

– Recipient“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data as part of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.

– Third party“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

- Consent“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signal agreement to the processing of personal data relating to them.

In accordance with Art. 6 (1) GDPR, the processing of personal data by us is legal if at least one of the following conditions is met:

a) The data subject has given their consent to the processing of personal data relating them for one or more particular purposes;b) The processing is required for fulfilling a contract to which the data subject is a contracting party, or to carry out pre-contractual measures to be taken at the request of the data subject (e.g. product enquiries);c) Processing is required to meet a legal obligation imposed on the controller (e.g. tax obligations);d) Processing is required to protect vital interests of the data subject or another natural person (e.g. health insurance data of a visitor in the event of an accident in our offices);e) Processing is required to perform a task which lies in the public interest or carried out in the exercise of official authority conferred on the controller;f) Processing is required to preserve the legitimate interests of the controller or a third party unless the interests or basic rights and basic freedoms of the data subject which require the protection of personal data, predominate, especially if the data subject is a child.

4. Registration of general data and information

When a data subject or an automated system visits our website, general information on their visit is generally stored in the log files of our service provider. This can relate to the type and version of browser used, the operating system as well as the website from the data subject or automated system arrived on our website, and equally it can refer to the subpages visited on our website, the date and time when the website was accessed, the IP address, the Internet Service Provider of the accessing system and other data and information which we need to avert danger in the event of attacks on our IT systems.

These data are not used by us to enable us to deduce the identity of the data subject. Rather we need the data to correctly transmit content on our website, optimise our site, guarantee its full functionality or provide law enforcement authorities the information they need in the event of a cyber attack. We evaluate these data solely for statistical purposes and also to enhance data protection and data security within our company. The intention is to ensure that the personal data processed by us are given the best possible protection. We store personal data which you communicate to us separately from the anonymous data specified which our server records in log files.

5. Contact option via the website

In accordance with statutory requirements, details can be found on the website www.heron-realestate.com which allow you to make contact with our company electronically and to communicate with us directly. Such information also includes our email address.

If you contact us by email or by using a contact form, the personal data you send us will be stored automatically. These data sent to us voluntarily by you, are stored for the purpose of processing your enquiry or contacting you as a data subject. We do not pass such data on to third parties without your accept.

6. Routine deletion and blocking of personal data

We only process and store personal data for the time required to meet the purpose of storing them, or if there are statutory provisions requiring such storage which we are obliged to respect.

If the purpose for which the data have been stored, no longer applies or if a statutory storage term expires, the personal data routinely blocked or deleted in accordance with statutory regulations.

7. Rights of the data subject

On the basis of provisions contained in the GDPR, you enjoy the following rights as a data subject.

– Right of confirmationAs a data subject, you have the right to request confirmation from the controller responsible for processing data as to whether personal data relating to yourself are being processed. If you would like to take advantage of this right of confirmation, you are free at any time to approach us.

– Right of informationAs a data subject, you have the right at any time to obtain free information from us on the personal data stored about you and to receive a copy of such information. You also have the right to receive the following information:a) the purposes of the processingb) the categories of personal data processedc) the recipients or categories of recipients to whom the personal data were disclosed or are still being disclosed, particularly in the case of recipients in third countries or international organisationsd) if possible, the planned length of time for which the personal data will be stored, or if this is not possible, the criteria for defining this duratione) the existence of any right of correction or deletion of the personal data relating to you, or any right to restrict processing by the controller or any right of objection to such processingf) the existence of any right of complaint to a regulatory authorityg) if the personal data are not ascertained from you as the data subject: all available information on the origin of the datah) the existence of an automated decision-making process including profiling in accordance with Article 22 (1) and (4) GDPR — at least in these cases — meaningful information on the logic involved as well as the targeted effects of any such processing for you as a data subject

If personal data are sent to a third country or an international organisation, you have the right as a data subject to be informed of the appropriate guarantees in accordance with Article 46 GDPR in connection with their transmission.

If you as a data subject would like to take advantage of this right of information, you can approach us at any time.

– Right of correctionAs a data subject, you have the right to demand that we immediately correct any false personal data relating to you. Taking account of the purposes of the processing, you have the right as a data subject to demand that incomplete personal data are completed — even by means of a supplementary statement.

If you as a data subject would like to take advantage of this right of correction, you can approachus at any time.

– Right of deletion (“right to be forgotten”)As a data subject, you have the right to ask us to immediately delete personal data relating to yourself if one of the following reasons applies and provided processing is not required:

a) The personal data are no longer needed for the purposes for which they were collected or otherwise processed.b) The data subject revokes their consent on which the processing was based in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a), and there is no other legal basis for the processing.c) The data subject objects to processing in accordance with Art. 21 (1) GDPR, and there are no overriding, justified reasons for the processing, or the data subject objects to the processing in accordance with Art. 21 (2) GDPR.d) The personal data were illegally processed.e) Deletion of the personal data is required to meet a legal obligation in accordance with Union or Member State law to which the controller is subject.f) The personal data were collected with reference to services offered by the information society in accordance with Art. 8 (1) GDPR.

If one of these reasons applies and you as the data subject would like to effect the deletion of your personal data stored by us, you can approachus at any time. We will ensure that the request for deletion is complied with promptly.

If we have published the personal data and our company is obliged under Art. 17 (1) GDPR to delete the personal data, we will take appropriate steps, including of a technical nature, taking into account the technology available and the implementation costs, to inform other controllers responsible for processing the data who are processing the personal data published that you as the data subject have requested that such other controllers responsible for processing delete all links to these personal data or copies or duplicates of such personal data unless processing is necessary.We will make all the necessary arrangements in each individual case.

– Right of restriction of processingAs a data subject, you have the right to ask us to restrict the processing if one of the following conditions is met:

a) The accuracy of the personal data is disputed by the data subject for a length of time which allows the controller to review the accuracy of the personal data.b) The processing is illegal, you as the data subject reject the deletion of your personal data and instead request that the use of the personal data be restricted.c) We have no further need of the personal data for the purposes of processing, but you as the data subject need them in order to assert, exercise or defend legal interests.d) You as the data subject have objected to the processing pursuant to Art. 21 (1) GDPR, and it has not yet been determined whether our legitimate reasons outweigh your reasons as the data subject.

If one of these conditions is met and you as the data subject would like to request the restriction of your personal data stored by us, you can approachus at any time.We will arrange for processing to be restricted.

– Right of data portabilityAs a data subject, you have the right to receive the personal data relating to yourself which you have provided to us in a structured, conventional and machine-readable format. You also have the right to transmit these data to another controller without being hindered in doing so by the controller to whom the personal data were provided, provided the processing is based on the consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is conducted with the aid of an automated procedure unless the processing is required for performing a task which is in the public interest or is carried out in the exercise of official authority conferred on the controller. As a data subject exercising your right of data portability pursuant to Art. 20 (1) GDPR, you also have the right to have your personal data transmitted directly from one controller to another provided this is technically feasible and unless the rights and freedoms of other persons are impaired by doing so. If you as a data subject would like to take advantage of this right of data portability, you can approachus at any time.

– Right of objectionAs the data subject, you have the right, for reasons stemming from your particular situation, to object at any time to the processing of personal data relating to yourself carried out on the basis of Art. 6 (1) (e) or (f) GDPR. This also applies to any profiling based on these provisions.

In the event of an objection, we will no longer process the personal data unless we can show compelling, sensitive reasons for the processing which outweigh the interests, rights and freedoms of yourself as the data subject, or the processing serves to assert, exercise or defend legal interests.

If we process personal data in order to conduct direct advertising, you as the data subject have the right to object at any time to the processing of the personal data relating to yourself for the purpose of such advertising. This also applies to the profiling provided it is associated with such direct advertising. If you as the data subject lodge an objection with us to the processing for the purpose of direct advertising, we will no longer process the personal data for such purposes.

As the data subject, you also have the right, for reasons arising from your particular situation, to object to the processing of personal data relating to yourself carried out on our premises for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR, unless such processing is required to perform a task which lies in the public interest.

If you as a data subject would like to take advantage of this right of objection, you can approachHERON REAL ESTATE at any time. As the data subject, you are also free to exercise your right of objection in connection with the use of services of the information society, notwithstanding Directive 2002/58/EC by means of automated procedures in which technical specifications are used.

– Automated decisions in individual cases including profilingAs a data subject, you have the right not to be subject to a decision based on automated processing — including profiling — which is legally binding on you or which has a considerably adverse effect on you in some other way unless such decision

a) is required to conclude or fulfil a contract between you as the data subject and ourselves, orb) is permitted due to legal regulations of the Union or Member States to which we are subject, and such legal regulations contain appropriate measures for preserving the rights and freedoms as well as the legitimate interests of yourself as the data subject, orc) has been made with your explicit consent as the data subject.

If the decision is necessary for concluding or fulfilling a contract between you as the data subject and ourselves, or if it is taken with your explicit consent as the data subject, we will take appropriate steps to preserve your rights and freedoms as well as your legitimate interests as the data subject which at the very least includes the right to have a person from HERON REAL ESTATE intervene, set out your own viewpoint and contest the decision.

If you as a data subject would like to take advantage of these rights regarding automated decisions, you can approachus at any time.

– Right to revoke consent under data protection lawsAs the data subject affected by the processing of personal data, you have the right at any time to revoke your consent to the processing of personal data.

If you as a data subject would like to take advantage of this right revoke your consent, you can approachus at any time.

8. Data protection provisions regarding the deployment and use of Google Analytics

This site also comprises some components transmitted by Google Analytics, a web traffic analysis service offered by Google, Inc.

Google Analytics is a web analysis service. Web analysis is the collection, aggregation and evaluation of data regarding the behaviour of visitors to websites. Among other things, a web analysis service records data on the website from which you as the data subject have arrived on our website (so-called referrer), which subpages of our website you access or how often and the length of time you view any particular subpage. Web analysis is primarily used to optimise our website.The company operating the Google Analytics Component is Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.The purpose of the Google Analytics is to analyse visitor traffic on our website. Google uses the data and information gained among other things to evaluate use of our website, compile online reports for us which identify activities on our web pages and to provide further services in connection with the use of our website.Google Analytics places a cookie on the IT system used by you as the data subject. Cookies are text files that are placed and stored on a computer system through a web browser. Many internet sites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID identifies the cookie unambiguously. It consists of a series of characters through which internet sites and servers can be attributed to the specific web browser on which the cookie has been saved. This allows the websites and servers visited to distinguish the individual browser of the data subject from other web browsers containing other cookies. A particular web browser can be recognised and identified using this unique cookie ID.

By placing the cookie, Google is able to analyse use of our website. Every time one of the individual pages of this website operated by HERON REAL ESTATE and which has a Google Analytics Component installed, is called up, the internet browser on the IT system of the data subject is automatically induced by the relevant Google Analytics Component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google becomes aware of personal data such as the IP address of the data subject which among other things enable Google to trace where visitors come from and what they click on, thereby facilitating commission billing.

Personal information, e.g. time of access, location from which the site was accessed and the frequency of visits to our website by the data subject, are saved by means of cookies. With every visit to our website, these personal data, including the IP address of the internet connection used by the data subject, are transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass on these personal data collected via the technical procedure to third parties under certain circumstances.

The data subject can at any time prevent our website from placing cookies, as described above, by making a corresponding setting in their internet browser, thereby permanently rejecting the installation of cookies. Any such setting in the internet browser used would also prevent Google from installing a cookie on the data subject’s IT system. Any cookie already installed by Google Analytics can also be deleted at any time via the internet browser or other software programmes. We invite you to consult Google Analytics for any additional information and updates.

9. Length of time for which personal data are stored

We store personal data in each case for the period defined by the relevant statutory retention period. After this deadline expires, the corresponding data are deleted as a matter of routine provided they are no longer required to fulfil or initiate a contract.

10. Statutory or contractual regulations on the provision of personal data; necessity for conclusion of contract; obligation of the data subject to provide their personal data; possible consequences of non-provision

We inform you that the provision of personal data is partly prescribed in law (e.g. tax regulations) or can result from contractual obligations (e.g. details of contractual partner). Sometimes the conclusion of a contract may require you as the data subject to provide us with personal data which consequently have to be processed by us. For example, as the data subject, you are obliged to provide us with personal data if our company concludes a contract with you. Any failure to provide personal data would mean that no contract could be concluded with you as the data subject. Before you as the data subject provide personal data, you must approach us. The latter will clarify for you as the data subject based on the individual case whether the provision of personal data is statutorily or contractually prescribed or is required to conclude the contract, whether there is any obligation to provide personal data and what the consequences would be of not providing personal data.